On Linux security

Well, I was about to go to bed, but I can't sleep till I get this written.

This was prompted by yet another comment thread in which people seem to believe Linux has some kind of special sauce that keeps them super-safe from malware.

The problem is, no, no it doesn't. In practical respects, from the point of view of the individual end-user, a typical modern Linux system is only marginally more 'safe' from malware 'attacks' than a typical modern Windows system.

There's some things many people misunderstand, that it's important to understand. One: most 'malware' on Windows, these days, is pretty simple. The majority of it falls into the category known as a trojan, or trojan horse. What this means it is doesn't use some sort of clever exploitation of a security vulnerability in the operating system in order to propagate itself without human intervention. No, it's much more dull. Most malware just works by getting the victims to infect themselves. Why bother going to all that trouble to exploit a security vulnerability that'll probably be patched in a month when you can just write your nasty pop-up ad spawning application, say it's a porn video or a poker game or a bleeding fart noise generator, and slap a few Google ads on some dodgy porn sites? This is how most modern adware works. It gets run because naive users run it, not by exploiting intrinsic vulnerabilities in the operating system.

Two, most of the much-vaunted Linux / Unix 'security measures' have very little relevance to your average desktop Linux user. The whole Linux security model is designed on the basis of a multi-user system. The intent is essentially that every user be allowed to do exactly what the hell s/he wants in his own environment - and only in his/her own environment. And this is done, in general, very well (though there's usually at least a few unpatched privilege escalation vulnerabilities in the wild - still, never mind). But you have to realize the implications of this.

If you're in a proper multi-user environment - a single system (however the hardware is set up) with dozens of unprivileged user accounts, and a system administrator - it's a godsend. For the administrator, and all the smart users. But it does nothing for the dumb users. Why? Well, think about it. The point is that nasty code can only screw up an individual user's own stuff - basically, his/her home directory. So no other users are affected, and the system administrator can easily deal with the situation. This is what most Linux / Unix security is about.

So, think through the implications. If you're Joe Dumb User and you just ran a trojan, none of this helps you a jot. Why? Because all the stuff you care about lives...in your user environment. Sure, it's great to know that Jane Smart User and the BOFH can still truck along hunky dory, but there's nothing at all to stop the trojan you just ran from popping up several zillion ads on your desktop. Or opening a browser to a selection of the finest in erotic entertainment sites, just as your boss walks in. Or wiping out all your precious files. Because they're all stored in your flipping home directory, where any process running with your user privileges can do whatever the hell it likes.

Think a little further. If you run Linux on your desktop, you probably don't run a true multi-user environment. Again, the whole concept of multi-user security does stuff all for you. If you run a trojan, it can annoy you as much as it likes, and kill all the data you care about. Yes, multi-user security prevents it doing anything to any system-wide files. But, so what? There's very little you actually care about stored in /usr or /etc, is there? All your contacts, presentations and the fifth draft of your Next Great American Novel all live in /home/yourusername, where the trojan can do whatever the heck it likes to them.

Three, and this is the big one, 99% of desktop Linux users run completely arbitrary code as root, on at least a semi-regular basis.

Yes, really, they (you) do. Why? Well, think about what happens when you install a package. The installation process runs as root. And it runs utterly arbitrary code. When you install an RPM package, something called the post script is run with root privileges. That script can be, well, anything at all. There's something equivalent for DEB packages, and ebuilds, and every other form of package management. It's not possible to build a package management system without this.

And, shout out if you only ever install properly signed packages from your distribution's official repositories.

...quiet room, huh?

Just about everyone has installed a package for Some Kewl Application from some random third party website somewhere. Heck, this is a third-party website and I throw up packages for people all the time. When you go to www.mycoollinuxsite.com and install a package for a wireless card driver or a poker game or whatever the crap it is - congratulations, you just ran completely arbitrary code as root. You just did exactly the same thing any Windows-using clown who installs some poker game from www.mycoolwindowssite.com did. You don't have a single iota more "protection" or "security" than the Windows-using clown. If whoever made that package - and you don't have a clue who it was - wanted to own your system, they just did. Good job, sport.

I'm not saying this to be negative about the importance of security or how well security is managed on Linux. Security is vital, and Linux distributions generally achieve their security goals rather well. The point is a general one. As long as an operating system lets the user run arbitrary code, it's always going to be possible for a trojan to do whatever it likes to all the data that user cares about. As long as an operating system wants to make it relatively easy to install applications, it's always going to be possible for a trojan to do whatever the hell it likes to any system, if someone chooses to install it. There is no security measure against that. The only operating system that can be 'secure' against this type of attack is one which is very locked down, and does not allow you to install or run arbitrary code. Like a restricted cellphone operating system. That's fine, but it's not what people want on their computers.

It's really important that everyone who owns a computer understands this. Your computer is not magic. It cannot protect you from malicious code if you choose to run that code, no matter whether your operating system is Windows, Linux, OS X, FreeBSD or bloody BeOS. Dan says that data you keep in just one place is obviously data you don't care about. I'd add that data you keep on a system on which you run arbitrary code, and nowhere else, is also obviously data you don't care about.

Most people are not willing to accept the inconvenience that comes with only ever installing code that's either a) 100% provably provided by a person or company you trust implicitly, or b) that you've examined every line of yourself. And that's fine. But if you're in this majority, you have to accept that the danger of trojan-type malware is one that can never be designed out by an operating system, and don't be lulled into a false sense of security by the 'Linux is invincible' crowd. Yes, Linux is a properly multi-user operating system and secure from that perspective, in most implementations. Yes, Linux is generally quite well-secured against true 'viruses' - malicious code that is run without explicit user intervention. No, it is not magically safe against malicious code unwittingly run by the operator. It can never be.

The bottom line - I could publish a package along with this post which, after you double-clicked on it, entered your root password, and said "yes" to "the package is not signed, install it anyway?", would zero out your hard disk. I could, by writing this post differently, probably convince quite a lot of people to install said package. Just because it (to my knowledge) hasn't happened yet, doesn't mean it can't. Be careful what you run.

Comments

misc wrote on 2009-01-20 10:15:
I don't agree, it already happened :) I know some guy in some 3 letters organisation with a penguin with gun that said to a user to install a xinetd config file that was running bash as root on port 5000 :)
vfmmeo wrote on 2009-01-20 13:09:
Yes! Lately we have a little discursion about security in Blogdrake. And my opinion es absolutely equal to yours: The key component of any kind of security infrastructure in a desktop system is located between the keyboard and the chair. There's no more or less secure Operating Systems (in general terms), there's more or less cautious and smart computer users. It's exactly the same a double-click on "halleberrynudexxxscreensaver.exe" or "halleberrynudexxxscreensaver.rpm" (or ".deb") next -> next -> next... "Hey! Where's Halle?"
glyj wrote on 2009-01-20 14:11:
In fact, from that point of view, windows is more secure than Linux, if there are some programs like norton that are installed. Antivirus and firewalls are quite old on windows platforms :-D : they had time to improve the tools. I read an article about this in an excellent magazine called MISC (it's a french one) they performed several tests on several platforms and presented the methods to detect suspicious behaviours on the system... ( with plenty of maths & algorithmic ....) the introduction was something like : "we achieve to broke ALL the systems we tested (including openBSD, Linux ...) " and " but some were harder to break ..." One of the best ones was Windows with antivirus & firewall... regards, glyj
glyj wrote on 2009-01-20 16:58:
I forgot a link to MISC : http://www.miscmag.com/
Dark_Schneider971 wrote on 2009-01-20 17:56:
You're are 100% right Adam. In fact the strength of Linux is the fact that ... it's not easy to install third-party applications ! Indeed to install third-party applications you have to deal with several issues : package format ( TGZ vs RPM vs DEB ), API/libraries versions issues, compatibility issue, need to know root password eventually. So one of the main weakness of Linux to be able to be easy to use for mass consumer market is fact also what allow Linux to be less targeted by malware. When everybody will be running ubuntu with full sudo power for first user, then we will have the same issues than Windows users ;-) SELinux/AppArmor may help, but most of the time only for known applications as you can provide rules saying that application X is allowed to this, but not allowed to do that. But for a third-party application ? as you don't know, you will let the application do whatever he wants, and then he can just open a port on a unprivileged port and listen or send informations ... The only way to be protected against theses kinds of issues are : - monitor changes to critic system configuration files or binaries ( chkrootkits for example ) - prevent unknown or unwanted applications from communicating to outside world with a Firewall ( however at one point users will just answer yes to everything ). - monitor system activity for abnormal ones ... in short running an AntiVirus/AntiTrojan/AntiMalware ... - or easier : only install packages from trusted sources. However, is Mandriva checking all the code in all of its packages ? I don't think so. It's easy to become the packager for a distribution, doing a good job at the beginning, and when you are ready, ad some subtle change that will allow you to install a rootkit or trojan in the users computers. And you don't even need to do a "rm -fr /" right after the package installation. Just edit root crontab or put a file in /etc/cron.monthly or cron.yearly.
adamw wrote on 2009-01-20 18:24:
Dark: "In fact the strength of Linux is the fact that … it’s not easy to install third-party applications ! Indeed to install third-party applications you have to deal with several issues : package format ( TGZ vs RPM vs DEB ), API/libraries versions issues, compatibility issue, need to know root password eventually." Well, I'm not really sure that's a big deal, to be honest. Sure, it's an issue for legitimate code. But most malicious code is fairly simple. To wipe your hard disk, all it needs is dd and /dev/zero, after all. No APIs or libraries involved. I don't see package format as a big deal, either. Just pick one and attack it, or provide two malicious packages. Again, a malicious *package* only needs to be very simple, so all the complexities of the different formats don't really matter. "or easier : only install packages from trusted sources. However, is Mandriva checking all the code in all of its packages ? I don’t think so." No, exactly. I was going to extend the post to cover that, but it was getting rather long. Never mind Mandriva - practically speaking, no popular end-user distribution is remotely close to reliably auditing all the code it contains. I can believe that, say, whatever the NSA runs on its critical systems, that's 100% audited. But Fedora? Ubuntu? Mandriva? Nope, not a chance. Even if we assume that it would be difficult for a malicious person to become a trusted packager (which, as you point out, isn't really true), no packager audits all the code they package. They just trust upstream.
boklm wrote on 2009-01-20 18:53:
I agree with what you said, but I think there is still a reason why it's much more easy to create a virus on Windows : - On Windows the usual way to install a software is to use google and download it from a randow web site. And some of those web sites are created by people who happen to have a virus on their computer. - On Linux you use the package manager. - On Windows because you have to download programs yourself, people often keep executable files in some folders on their hard drive, a few months later they burn them on a CD, and use them on an other computer or give it to their friends. A virus infecting all executables on a computer can easily move to an other computer this way. - On Linux everything is available in the packages repository. Keeping a collection of packages on your hard drive is not very useful so most people don't do it.
vfmmeo wrote on 2009-01-21 08:19:
@boklm "- On Linux you use the package manager." Not ever is true. That's the matter. If your distro has not packaged the soft, if the propietary driver isn't available, if you're new on Linux and all you know to do is the windows way... And, what's the difference (again) between "halleberrynude.rpm" (or .deb) and "halleberrynude.exe". You only need a double-click and a root password?
boklm wrote on 2009-01-21 09:56:
@vfmmeo: yes you can also install software manually on Linux, but that's not what you do most of the time. On Windows that's what you have to do most of the time because there is no other way. That's the difference.
Dark_Schneider971 wrote on 2009-01-21 10:44:
boklm> Sure, but it's also because on Linux we are not used to install third-party software. But when you may have a mass market for Linux, you will have more third-parties softwares ( i.e proprietary softwares ) that people will have to install themselves manually as some may not be packages by the distro. Thinks of some games, Photoshop, iTunes, etc .... Ok, we have nearly equivalent, but at the end, it's the user who takes the decision.
Dark_Schneider971 wrote on 2009-01-21 10:45:
adamw> I wrote a more complete follow-up on my blog : http://linux-wizard.net/blog-follow_up__on_linux_security-250.html
vfmmeo wrote on 2009-01-21 13:13:
@Dark: That's the key!
[...] AdamW is still insisting that Linux is not secure (et tu, Adam?): http://www.happyassassin.net/2009/0… [...]
tech78 wrote on 2009-02-02 20:42:
As a support tech who's cleaned up more than his share of virus & malware infected Windows machines, I've seen nothing comparable to the "drive-by" vulnerabilities posed by ActiveX scripting. I know Java and Javascript come close, but still nothing like the gaping hole provided by the Internet Explorer/ActiveX combo from what I see in the field.